Bug 1432358: Make resource URIs subject to CSP. r=gijs
authorChristoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
Thu, 25 Jan 2018 14:20:31 +0100
changeset 404338 fc871960d805efc5b3c4ac9e0682312d7bb23bda
parent 404337 7faf85adc8988c19f9d5a1b396d129c84e6b28f9
child 404339 a8b53e720ac7c35192eada9bf7c174df78105504
push id99986
push userarchaeopteryx@coole-files.de
push dateSun, 18 Feb 2018 13:17:27 +0000
treeherdermozilla-inbound@9f37220bc536 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersgijs
bugs1432358
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1432358: Make resource URIs subject to CSP. r=gijs
dom/security/nsCSPService.cpp
--- a/dom/security/nsCSPService.cpp
+++ b/dom/security/nsCSPService.cpp
@@ -49,20 +49,20 @@ subjectToCSP(nsIURI* aURI, nsContentPoli
   // TYPE_DOCUMENT   -- used for frame-ancestors
   if (aContentType == nsIContentPolicy::TYPE_CSP_REPORT ||
       aContentType == nsIContentPolicy::TYPE_REFRESH ||
       aContentType == nsIContentPolicy::TYPE_DOCUMENT) {
     return false;
   }
 
   // The three protocols: data:, blob: and filesystem: share the same
-  // protocol flag (URI_IS_LOCAL_RESOURCE) with other protocols, like
-  // chrome:, resource:, moz-icon:, but those three protocols get
-  // special attention in CSP and are subject to CSP, hence we have
-  // to make sure those protocols are subject to CSP, see:
+  // protocol flag (URI_IS_LOCAL_RESOURCE) with other protocols,
+  // but those three protocols get special attention in CSP and
+  // are subject to CSP, hence we have to make sure those
+  // protocols are subject to CSP, see:
   // http://www.w3.org/TR/CSP2/#source-list-guid-matching
   bool match = false;
   nsresult rv = aURI->SchemeIs("data", &match);
   if (NS_SUCCEEDED(rv) && match) {
     return true;
   }
   rv = aURI->SchemeIs("blob", &match);
   if (NS_SUCCEEDED(rv) && match) {
@@ -80,22 +80,33 @@ subjectToCSP(nsIURI* aURI, nsContentPoli
   if (NS_SUCCEEDED(rv) && match) {
     return false;
   }
   rv = aURI->SchemeIs("javascript", &match);
   if (NS_SUCCEEDED(rv) && match) {
     return false;
   }
 
-  // Other protocols are not subject to CSP and can be whitelisted:
-  // * URI_IS_LOCAL_RESOURCE
-  //   e.g. chrome:, data:, blob:, resource:, moz-icon:
   // Please note that it should be possible for websites to
   // whitelist their own protocol handlers with respect to CSP,
-  // hence we use protocol flags to accomplish that.
+  // hence we use protocol flags to accomplish that, but we also
+  // want resource:, chrome: and moz-icon to be subject to CSP
+  // (which also use URI_IS_LOCAL_RESOURCE).
+  rv = aURI->SchemeIs("resource", &match);
+  if (NS_SUCCEEDED(rv) && match) {
+    return true;
+  }
+  rv = aURI->SchemeIs("chrome", &match);
+  if (NS_SUCCEEDED(rv) && match) {
+    return true;
+  }
+  rv = aURI->SchemeIs("moz-icon", &match);
+  if (NS_SUCCEEDED(rv) && match) {
+    return true;
+  }
   rv = NS_URIChainHasFlags(aURI, nsIProtocolHandler::URI_IS_LOCAL_RESOURCE, &match);
   if (NS_SUCCEEDED(rv) && match) {
     return false;
   }
   // all other protocols are subject To CSP.
   return true;
 }